WriteUp - Poison (HackTheBox)

In this post we will resolve the machine Poison from HackTheBox. It’s a low-level FreeBSD Machine. My nick in HackTheBox is: manulqwerty. If you have any proposal or correction do not hesitate to leave a comment.

Write-Up

Enumeration

As always, the first thing will be a port scan with Nmap:

nmap -sC -sV 10.10.10.84

Let’s review the Web; We have LFI in /browse.php : In this case the name of the machine seems to give us a clue and to get shell we will try to poison the logs.

Exploitation

For this we will use the tutorial we wrote a few months ago: https://ironhackers.es/en/tutoriales/lfi-to-rce-envenenando-ssh-y-apache-logs/ As a FreeBSD, the log file will be:

/var/log/httpd-access.log

As you can see we’ve obtained RCE easily poisoning the Apache logs. Let’s get reverse shell: In the Web server we found the file pwdbackup. txt, although we didn’t need this shell to read it. As we read, the content looks like an encrypted password at least 13 times in base 64. Let’s decrypt it:

for((i=0;i<13;i++)) do cat salida$i | base64 -d > salida$((i+1)) done

In the file /etc/passwd we see that there is an user Charix. Let’s access via SSH with the credentials charix:Charix!2#4%6&8(0

Post-Exploitation

In the directory /home/charix we find the file secret.zip, we will decrypt it with the previous password: Charix!2#4%6&8(0 In addition to revising the processes we see that VNC Server is running: Let’s check the local ports with Sockstat which is the alternative to netstat for FreeBDS We will redirect the port through an SSH Tunnel and use the secret file contained in the secret. Zip:

ssh -L 5901:localhost:5901 charix@10.10.10.84 vncviewer localhost:5901 -passwd secret